xref: /openbmc/linux/crypto/blake2b_generic.c (revision 0c0408e86dbe8f44d4b27bf42130e8ac905361d6) 
191d68933SDavid Sterba // SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0)
291d68933SDavid Sterba /*
391d68933SDavid Sterba  * BLAKE2b reference source code package - reference C implementations
491d68933SDavid Sterba  *
591d68933SDavid Sterba  * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
691d68933SDavid Sterba  * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
791d68933SDavid Sterba  * your option.  The terms of these licenses can be found at:
891d68933SDavid Sterba  *
991d68933SDavid Sterba  * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
1091d68933SDavid Sterba  * - OpenSSL license   : https://www.openssl.org/source/license.html
1191d68933SDavid Sterba  * - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
1291d68933SDavid Sterba  *
1391d68933SDavid Sterba  * More information about the BLAKE2 hash function can be found at
1491d68933SDavid Sterba  * https://blake2.net.
1591d68933SDavid Sterba  *
1691d68933SDavid Sterba  * Note: the original sources have been modified for inclusion in linux kernel
1791d68933SDavid Sterba  * in terms of coding style, using generic helpers and simplifications of error
1891d68933SDavid Sterba  * handling.
1991d68933SDavid Sterba  */
2091d68933SDavid Sterba 
2191d68933SDavid Sterba #include <asm/unaligned.h>
2291d68933SDavid Sterba #include <linux/module.h>
2391d68933SDavid Sterba #include <linux/string.h>
2491d68933SDavid Sterba #include <linux/kernel.h>
2591d68933SDavid Sterba #include <linux/bitops.h>
2691d68933SDavid Sterba #include <crypto/internal/hash.h>
2791d68933SDavid Sterba 
2891d68933SDavid Sterba #define BLAKE2B_160_DIGEST_SIZE		(160 / 8)
2991d68933SDavid Sterba #define BLAKE2B_256_DIGEST_SIZE		(256 / 8)
3091d68933SDavid Sterba #define BLAKE2B_384_DIGEST_SIZE		(384 / 8)
3191d68933SDavid Sterba #define BLAKE2B_512_DIGEST_SIZE		(512 / 8)
3291d68933SDavid Sterba 
3391d68933SDavid Sterba enum blake2b_constant {
3491d68933SDavid Sterba 	BLAKE2B_BLOCKBYTES    = 128,
3591d68933SDavid Sterba 	BLAKE2B_KEYBYTES      = 64,
3691d68933SDavid Sterba };
3791d68933SDavid Sterba 
3891d68933SDavid Sterba struct blake2b_state {
3991d68933SDavid Sterba 	u64      h[8];
4091d68933SDavid Sterba 	u64      t[2];
4191d68933SDavid Sterba 	u64      f[2];
4291d68933SDavid Sterba 	u8       buf[BLAKE2B_BLOCKBYTES];
4391d68933SDavid Sterba 	size_t   buflen;
4491d68933SDavid Sterba };
4591d68933SDavid Sterba 
4691d68933SDavid Sterba static const u64 blake2b_IV[8] = {
4791d68933SDavid Sterba 	0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
4891d68933SDavid Sterba 	0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
4991d68933SDavid Sterba 	0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
5091d68933SDavid Sterba 	0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
5191d68933SDavid Sterba };
5291d68933SDavid Sterba 
5391d68933SDavid Sterba static const u8 blake2b_sigma[12][16] = {
5491d68933SDavid Sterba 	{  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 },
5591d68933SDavid Sterba 	{ 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 },
5691d68933SDavid Sterba 	{ 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 },
5791d68933SDavid Sterba 	{  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 },
5891d68933SDavid Sterba 	{  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 },
5991d68933SDavid Sterba 	{  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 },
6091d68933SDavid Sterba 	{ 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 },
6191d68933SDavid Sterba 	{ 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 },
6291d68933SDavid Sterba 	{  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 },
6391d68933SDavid Sterba 	{ 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13,  0 },
6491d68933SDavid Sterba 	{  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 },
6591d68933SDavid Sterba 	{ 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 }
6691d68933SDavid Sterba };
6791d68933SDavid Sterba 
6891d68933SDavid Sterba static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc)
6991d68933SDavid Sterba {
7091d68933SDavid Sterba 	S->t[0] += inc;
7191d68933SDavid Sterba 	S->t[1] += (S->t[0] < inc);
7291d68933SDavid Sterba }
7391d68933SDavid Sterba 
7491d68933SDavid Sterba #define G(r,i,a,b,c,d)                                  \
7591d68933SDavid Sterba 	do {                                            \
7691d68933SDavid Sterba 		a = a + b + m[blake2b_sigma[r][2*i+0]]; \
7791d68933SDavid Sterba 		d = ror64(d ^ a, 32);                   \
7891d68933SDavid Sterba 		c = c + d;                              \
7991d68933SDavid Sterba 		b = ror64(b ^ c, 24);                   \
8091d68933SDavid Sterba 		a = a + b + m[blake2b_sigma[r][2*i+1]]; \
8191d68933SDavid Sterba 		d = ror64(d ^ a, 16);                   \
8291d68933SDavid Sterba 		c = c + d;                              \
8391d68933SDavid Sterba 		b = ror64(b ^ c, 63);                   \
8491d68933SDavid Sterba 	} while (0)
8591d68933SDavid Sterba 
8691d68933SDavid Sterba #define ROUND(r)                                \
8791d68933SDavid Sterba 	do {                                    \
8891d68933SDavid Sterba 		G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
8991d68933SDavid Sterba 		G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
9091d68933SDavid Sterba 		G(r,2,v[ 2],v[ 6],v[10],v[14]); \
9191d68933SDavid Sterba 		G(r,3,v[ 3],v[ 7],v[11],v[15]); \
9291d68933SDavid Sterba 		G(r,4,v[ 0],v[ 5],v[10],v[15]); \
9391d68933SDavid Sterba 		G(r,5,v[ 1],v[ 6],v[11],v[12]); \
9491d68933SDavid Sterba 		G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
9591d68933SDavid Sterba 		G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
9691d68933SDavid Sterba 	} while (0)
9791d68933SDavid Sterba 
9891d68933SDavid Sterba static void blake2b_compress(struct blake2b_state *S,
9991d68933SDavid Sterba 			     const u8 block[BLAKE2B_BLOCKBYTES])
10091d68933SDavid Sterba {
10191d68933SDavid Sterba 	u64 m[16];
10291d68933SDavid Sterba 	u64 v[16];
10391d68933SDavid Sterba 	size_t i;
10491d68933SDavid Sterba 
10591d68933SDavid Sterba 	for (i = 0; i < 16; ++i)
10691d68933SDavid Sterba 		m[i] = get_unaligned_le64(block + i * sizeof(m[i]));
10791d68933SDavid Sterba 
10891d68933SDavid Sterba 	for (i = 0; i < 8; ++i)
10991d68933SDavid Sterba 		v[i] = S->h[i];
11091d68933SDavid Sterba 
11191d68933SDavid Sterba 	v[ 8] = blake2b_IV[0];
11291d68933SDavid Sterba 	v[ 9] = blake2b_IV[1];
11391d68933SDavid Sterba 	v[10] = blake2b_IV[2];
11491d68933SDavid Sterba 	v[11] = blake2b_IV[3];
11591d68933SDavid Sterba 	v[12] = blake2b_IV[4] ^ S->t[0];
11691d68933SDavid Sterba 	v[13] = blake2b_IV[5] ^ S->t[1];
11791d68933SDavid Sterba 	v[14] = blake2b_IV[6] ^ S->f[0];
11891d68933SDavid Sterba 	v[15] = blake2b_IV[7] ^ S->f[1];
11991d68933SDavid Sterba 
12091d68933SDavid Sterba 	ROUND(0);
12191d68933SDavid Sterba 	ROUND(1);
12291d68933SDavid Sterba 	ROUND(2);
12391d68933SDavid Sterba 	ROUND(3);
12491d68933SDavid Sterba 	ROUND(4);
12591d68933SDavid Sterba 	ROUND(5);
12691d68933SDavid Sterba 	ROUND(6);
12791d68933SDavid Sterba 	ROUND(7);
12891d68933SDavid Sterba 	ROUND(8);
12991d68933SDavid Sterba 	ROUND(9);
13091d68933SDavid Sterba 	ROUND(10);
13191d68933SDavid Sterba 	ROUND(11);
132*0c0408e8SArnd Bergmann #ifdef CONFIG_CC_IS_CLANG
133*0c0408e8SArnd Bergmann #pragma nounroll /* https://bugs.llvm.org/show_bug.cgi?id=45803 */
134*0c0408e8SArnd Bergmann #endif
13591d68933SDavid Sterba 	for (i = 0; i < 8; ++i)
13691d68933SDavid Sterba 		S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
13791d68933SDavid Sterba }
13891d68933SDavid Sterba 
13991d68933SDavid Sterba #undef G
14091d68933SDavid Sterba #undef ROUND
14191d68933SDavid Sterba 
142c433a1a8SDavid Sterba struct blake2b_tfm_ctx {
14391d68933SDavid Sterba 	u8 key[BLAKE2B_KEYBYTES];
14491d68933SDavid Sterba 	unsigned int keylen;
14591d68933SDavid Sterba };
14691d68933SDavid Sterba 
147c433a1a8SDavid Sterba static int blake2b_setkey(struct crypto_shash *tfm, const u8 *key,
14891d68933SDavid Sterba 			  unsigned int keylen)
14991d68933SDavid Sterba {
150c433a1a8SDavid Sterba 	struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(tfm);
15191d68933SDavid Sterba 
152674f368aSEric Biggers 	if (keylen == 0 || keylen > BLAKE2B_KEYBYTES)
15391d68933SDavid Sterba 		return -EINVAL;
15491d68933SDavid Sterba 
155c433a1a8SDavid Sterba 	memcpy(tctx->key, key, keylen);
156c433a1a8SDavid Sterba 	tctx->keylen = keylen;
15791d68933SDavid Sterba 
15891d68933SDavid Sterba 	return 0;
15991d68933SDavid Sterba }
16091d68933SDavid Sterba 
161e3749695SDavid Sterba static int blake2b_init(struct shash_desc *desc)
16291d68933SDavid Sterba {
163c433a1a8SDavid Sterba 	struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
16491d68933SDavid Sterba 	struct blake2b_state *state = shash_desc_ctx(desc);
16591d68933SDavid Sterba 	const int digestsize = crypto_shash_digestsize(desc->tfm);
16691d68933SDavid Sterba 
167e3749695SDavid Sterba 	memset(state, 0, sizeof(*state));
168e3749695SDavid Sterba 	memcpy(state->h, blake2b_IV, sizeof(state->h));
169e3749695SDavid Sterba 
170e3749695SDavid Sterba 	/* Parameter block is all zeros except index 0, no xor for 1..7 */
171c433a1a8SDavid Sterba 	state->h[0] ^= 0x01010000 | tctx->keylen << 8 | digestsize;
172e3749695SDavid Sterba 
173c433a1a8SDavid Sterba 	if (tctx->keylen) {
174e87e484dSDavid Sterba 		/*
175e87e484dSDavid Sterba 		 * Prefill the buffer with the key, next call to _update or
176e87e484dSDavid Sterba 		 * _final will process it
177e87e484dSDavid Sterba 		 */
178c433a1a8SDavid Sterba 		memcpy(state->buf, tctx->key, tctx->keylen);
179e87e484dSDavid Sterba 		state->buflen = BLAKE2B_BLOCKBYTES;
180e3749695SDavid Sterba 	}
18191d68933SDavid Sterba 	return 0;
18291d68933SDavid Sterba }
18391d68933SDavid Sterba 
1840b4b5f10SDavid Sterba static int blake2b_update(struct shash_desc *desc, const u8 *in,
1850b4b5f10SDavid Sterba 			  unsigned int inlen)
18691d68933SDavid Sterba {
18791d68933SDavid Sterba 	struct blake2b_state *state = shash_desc_ctx(desc);
1880b4b5f10SDavid Sterba 	const size_t left = state->buflen;
1890b4b5f10SDavid Sterba 	const size_t fill = BLAKE2B_BLOCKBYTES - left;
19091d68933SDavid Sterba 
1910b4b5f10SDavid Sterba 	if (!inlen)
1920b4b5f10SDavid Sterba 		return 0;
1930b4b5f10SDavid Sterba 
1940b4b5f10SDavid Sterba 	if (inlen > fill) {
1950b4b5f10SDavid Sterba 		state->buflen = 0;
1960b4b5f10SDavid Sterba 		/* Fill buffer */
1970b4b5f10SDavid Sterba 		memcpy(state->buf + left, in, fill);
1980b4b5f10SDavid Sterba 		blake2b_increment_counter(state, BLAKE2B_BLOCKBYTES);
1990b4b5f10SDavid Sterba 		/* Compress */
2000b4b5f10SDavid Sterba 		blake2b_compress(state, state->buf);
2010b4b5f10SDavid Sterba 		in += fill;
2020b4b5f10SDavid Sterba 		inlen -= fill;
2030b4b5f10SDavid Sterba 		while (inlen > BLAKE2B_BLOCKBYTES) {
2040b4b5f10SDavid Sterba 			blake2b_increment_counter(state, BLAKE2B_BLOCKBYTES);
2050b4b5f10SDavid Sterba 			blake2b_compress(state, in);
2060b4b5f10SDavid Sterba 			in += BLAKE2B_BLOCKBYTES;
2070b4b5f10SDavid Sterba 			inlen -= BLAKE2B_BLOCKBYTES;
2080b4b5f10SDavid Sterba 		}
2090b4b5f10SDavid Sterba 	}
2100b4b5f10SDavid Sterba 	memcpy(state->buf + state->buflen, in, inlen);
2110b4b5f10SDavid Sterba 	state->buflen += inlen;
2120b4b5f10SDavid Sterba 
21391d68933SDavid Sterba 	return 0;
21491d68933SDavid Sterba }
21591d68933SDavid Sterba 
216086db43bSDavid Sterba static int blake2b_final(struct shash_desc *desc, u8 *out)
21791d68933SDavid Sterba {
21891d68933SDavid Sterba 	struct blake2b_state *state = shash_desc_ctx(desc);
21991d68933SDavid Sterba 	const int digestsize = crypto_shash_digestsize(desc->tfm);
220086db43bSDavid Sterba 	size_t i;
22191d68933SDavid Sterba 
222086db43bSDavid Sterba 	blake2b_increment_counter(state, state->buflen);
223a2e4bdceSDavid Sterba 	/* Set last block */
224a2e4bdceSDavid Sterba 	state->f[0] = (u64)-1;
225086db43bSDavid Sterba 	/* Padding */
226086db43bSDavid Sterba 	memset(state->buf + state->buflen, 0, BLAKE2B_BLOCKBYTES - state->buflen);
227086db43bSDavid Sterba 	blake2b_compress(state, state->buf);
228086db43bSDavid Sterba 
229086db43bSDavid Sterba 	/* Avoid temporary buffer and switch the internal output to LE order */
230086db43bSDavid Sterba 	for (i = 0; i < ARRAY_SIZE(state->h); i++)
231086db43bSDavid Sterba 		__cpu_to_le64s(&state->h[i]);
232086db43bSDavid Sterba 
233086db43bSDavid Sterba 	memcpy(out, state->h, digestsize);
23491d68933SDavid Sterba 	return 0;
23591d68933SDavid Sterba }
23691d68933SDavid Sterba 
23791d68933SDavid Sterba static struct shash_alg blake2b_algs[] = {
23891d68933SDavid Sterba 	{
23991d68933SDavid Sterba 		.base.cra_name		= "blake2b-160",
24091d68933SDavid Sterba 		.base.cra_driver_name	= "blake2b-160-generic",
24191d68933SDavid Sterba 		.base.cra_priority	= 100,
24291d68933SDavid Sterba 		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
24391d68933SDavid Sterba 		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
244c433a1a8SDavid Sterba 		.base.cra_ctxsize	= sizeof(struct blake2b_tfm_ctx),
24591d68933SDavid Sterba 		.base.cra_module	= THIS_MODULE,
24691d68933SDavid Sterba 		.digestsize		= BLAKE2B_160_DIGEST_SIZE,
247c433a1a8SDavid Sterba 		.setkey			= blake2b_setkey,
248e3749695SDavid Sterba 		.init			= blake2b_init,
2490b4b5f10SDavid Sterba 		.update			= blake2b_update,
250086db43bSDavid Sterba 		.final			= blake2b_final,
25191d68933SDavid Sterba 		.descsize		= sizeof(struct blake2b_state),
25291d68933SDavid Sterba 	}, {
25391d68933SDavid Sterba 		.base.cra_name		= "blake2b-256",
25491d68933SDavid Sterba 		.base.cra_driver_name	= "blake2b-256-generic",
25591d68933SDavid Sterba 		.base.cra_priority	= 100,
25691d68933SDavid Sterba 		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
25791d68933SDavid Sterba 		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
258c433a1a8SDavid Sterba 		.base.cra_ctxsize	= sizeof(struct blake2b_tfm_ctx),
25991d68933SDavid Sterba 		.base.cra_module	= THIS_MODULE,
26091d68933SDavid Sterba 		.digestsize		= BLAKE2B_256_DIGEST_SIZE,
261c433a1a8SDavid Sterba 		.setkey			= blake2b_setkey,
262e3749695SDavid Sterba 		.init			= blake2b_init,
2630b4b5f10SDavid Sterba 		.update			= blake2b_update,
264086db43bSDavid Sterba 		.final			= blake2b_final,
26591d68933SDavid Sterba 		.descsize		= sizeof(struct blake2b_state),
26691d68933SDavid Sterba 	}, {
26791d68933SDavid Sterba 		.base.cra_name		= "blake2b-384",
26891d68933SDavid Sterba 		.base.cra_driver_name	= "blake2b-384-generic",
26991d68933SDavid Sterba 		.base.cra_priority	= 100,
27091d68933SDavid Sterba 		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
27191d68933SDavid Sterba 		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
272c433a1a8SDavid Sterba 		.base.cra_ctxsize	= sizeof(struct blake2b_tfm_ctx),
27391d68933SDavid Sterba 		.base.cra_module	= THIS_MODULE,
27491d68933SDavid Sterba 		.digestsize		= BLAKE2B_384_DIGEST_SIZE,
275c433a1a8SDavid Sterba 		.setkey			= blake2b_setkey,
276e3749695SDavid Sterba 		.init			= blake2b_init,
2770b4b5f10SDavid Sterba 		.update			= blake2b_update,
278086db43bSDavid Sterba 		.final			= blake2b_final,
27991d68933SDavid Sterba 		.descsize		= sizeof(struct blake2b_state),
28091d68933SDavid Sterba 	}, {
28191d68933SDavid Sterba 		.base.cra_name		= "blake2b-512",
28291d68933SDavid Sterba 		.base.cra_driver_name	= "blake2b-512-generic",
28391d68933SDavid Sterba 		.base.cra_priority	= 100,
28491d68933SDavid Sterba 		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
28591d68933SDavid Sterba 		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
286c433a1a8SDavid Sterba 		.base.cra_ctxsize	= sizeof(struct blake2b_tfm_ctx),
28791d68933SDavid Sterba 		.base.cra_module	= THIS_MODULE,
28891d68933SDavid Sterba 		.digestsize		= BLAKE2B_512_DIGEST_SIZE,
289c433a1a8SDavid Sterba 		.setkey			= blake2b_setkey,
290e3749695SDavid Sterba 		.init			= blake2b_init,
2910b4b5f10SDavid Sterba 		.update			= blake2b_update,
292086db43bSDavid Sterba 		.final			= blake2b_final,
29391d68933SDavid Sterba 		.descsize		= sizeof(struct blake2b_state),
29491d68933SDavid Sterba 	}
29591d68933SDavid Sterba };
29691d68933SDavid Sterba 
29791d68933SDavid Sterba static int __init blake2b_mod_init(void)
29891d68933SDavid Sterba {
29991d68933SDavid Sterba 	return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs));
30091d68933SDavid Sterba }
30191d68933SDavid Sterba 
30291d68933SDavid Sterba static void __exit blake2b_mod_fini(void)
30391d68933SDavid Sterba {
30491d68933SDavid Sterba 	crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs));
30591d68933SDavid Sterba }
30691d68933SDavid Sterba 
30791d68933SDavid Sterba subsys_initcall(blake2b_mod_init);
30891d68933SDavid Sterba module_exit(blake2b_mod_fini);
30991d68933SDavid Sterba 
31091d68933SDavid Sterba MODULE_AUTHOR("David Sterba <kdave@kernel.org>");
31191d68933SDavid Sterba MODULE_DESCRIPTION("BLAKE2b generic implementation");
31291d68933SDavid Sterba MODULE_LICENSE("GPL");
31391d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-160");
31491d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-160-generic");
31591d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-256");
31691d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-256-generic");
31791d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-384");
31891d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-384-generic");
31991d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-512");
32091d68933SDavid Sterba MODULE_ALIAS_CRYPTO("blake2b-512-generic");
321